Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have A Targetedbanner Virus


  • Please log in to reply
23 replies to this topic

#1 kambrilyn

kambrilyn

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 28 June 2008 - 04:51 PM

I am writing this from my laptop. On my PC, it keeps turning off my popup blocker and all these windows keep popping up. If I try to go to the internet, I get a windows message alert. In the address bar it says C:WINDOWS\system32\spywarewarning.mht. I am running WindowsXP, and McAfee Security Center. I have never come up against this before, so it is all new to me. Anything that you would have me download I will load to my memory stick and put on my PC. You help is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 PM

Posted 28 June 2008 - 05:52 PM

Let's be on the safe side and assume the infection can spread to a usb pen drive

http://www.bleepingcomputer.com/forums/ind...st&p=798468

in this list you might as well download all of them and the manual updates in the next post

http://www.bleepingcomputer.com/forums/ind...st&p=845007

http://www.superantispyware.com/definitions.html

please download these 2 def updates and see the note at the bottom about installing them

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

let's start with MBAM but transfer and install all the programs

post the log back with the immunized drive if you want or if the infected computer is acting better with it
Chewy

No. Try not. Do... or do not. There is no try.

#3 kambrilyn

kambrilyn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 28 June 2008 - 06:09 PM

Malwarebytes' Anti-Malware 1.19
Database version: 900
Windows 5.1.2600 Service Pack 2

6:52:37 PM 6/28/2008
mbam-log-6-28-2008 (18-52-37).txt

Scan type: Quick Scan
Objects scanned: 93747
Time elapsed: 23 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\targetedbanner (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\B.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\Downloader.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adptifu.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uoyzsydz.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{eedbe122-ff59-d011-3bf3-eaee3d2f85c4}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{eedbe122-ff59-d011-3bf3-eaee3d2f85c4}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\000050.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spywarewarning.mht (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\spywarewarning2.mht (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 PM

Posted 28 June 2008 - 07:09 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

would you run atf cleaner and SAS from safe mode next?

Do you need help applying the SAS updates?
Chewy

No. Try not. Do... or do not. There is no try.

#5 kambrilyn

kambrilyn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 29 June 2008 - 09:58 AM

Ok I did both of those. When I rebooted I get C:\windows\system32\rlelvrahjaej.dll The specified module could not be found.

Edited by kambrilyn, 29 June 2008 - 10:01 AM.


#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 PM

Posted 29 June 2008 - 10:15 AM

http://www.bleepingcomputer.com/forums/ind...st&p=867039

that error with a random named file is usually a good sign but also means something was missed that calls for windows to look for an infected file that was removed

post that SAS log and run another updated MBAM scan please, also post that log

Edited by DaChew, 29 June 2008 - 10:25 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 kambrilyn

kambrilyn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 29 June 2008 - 10:23 AM

Got it!
UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2008 at 10:18 PM

Application Version : 4.15.1000

Core Rules Database Version : 3493
Trace Rules Database Version: 1484

Scan type : Quick Scan
Total Scan Time : 00:48:20

Memory items scanned : 192
Memory threats detected : 0
Registry items scanned : 499
Registry threats detected : 9
File items scanned : 8897
File threats detected : 166

Adware.AdRotate/System
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fac54024-e816-56bd-951c-a0c8832438d3}
HKCR\CLSID\{FAC54024-E816-56BD-951C-A0C8832438D3}
HKCR\CLSID\{FAC54024-E816-56BD-951C-A0C8832438D3}
HKCR\CLSID\{FAC54024-E816-56BD-951C-A0C8832438D3}\InProcServer32
HKCR\CLSID\{FAC54024-E816-56BD-951C-A0C8832438D3}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RLELVRAHJAEJ.DLL

Browser Hijacker.Internet Explorer Settings Hijack
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]

Adware.Tracking Cookie
C:\Documents and Settings\Todd\Cookies\todd@incutrack.car-stuff[1].txt
C:\Documents and Settings\Todd\Cookies\todd@www.discounttire[1].txt
C:\Documents and Settings\Todd\Cookies\todd@tacoda[1].txt
C:\Documents and Settings\Todd\Cookies\todd@adrevolver[2].txt
C:\Documents and Settings\Todd\Cookies\todd@e-2dj6wjloopdzcfq.stats.esomniture[2].txt
C:\Documents and Settings\Todd\Cookies\todd@casalemedia[1].txt
C:\Documents and Settings\Todd\Cookies\todd@adrevolver[3].txt
C:\Documents and Settings\Todd\Cookies\todd@www.googleadservices[3].txt
C:\Documents and Settings\Todd\Cookies\todd@insightexpressai[2].txt
C:\Documents and Settings\Todd\Cookies\todd@specificclick[3].txt
C:\Documents and Settings\Todd\Cookies\todd@specificclick[2].txt
C:\Documents and Settings\Todd\Cookies\todd@www.googleadservices[4].txt
C:\Documents and Settings\Todd\Cookies\todd@www.googleadservices[1].txt
C:\Documents and Settings\Todd\Cookies\todd@www.googleadservices[5].txt
C:\Documents and Settings\Todd\Cookies\todd@revsci[1].txt
C:\Documents and Settings\Todd\Cookies\todd@www.googleadservices[2].txt
C:\Documents and Settings\Todd\Cookies\todd@insightexpressai[1].txt
C:\Documents and Settings\Todd\Cookies\todd@hitbox[2].txt
C:\Documents and Settings\Todd\Cookies\todd@suntrackerboats[1].txt
C:\Documents and Settings\Todd\Cookies\todd@bravenet[1].txt
C:\Documents and Settings\Todd\Cookies\todd@adlegend[1].txt
C:\Documents and Settings\Todd\Cookies\todd@te.kontera[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ge.bridgetrack[2].txt
C:\Documents and Settings\Todd\Cookies\todd@suntrackerboats[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ad.yieldmanager[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ads.addynamix[2].txt
C:\Documents and Settings\Todd\Cookies\todd@adbureau[1].txt
C:\Documents and Settings\Todd\Cookies\todd@tribalfusion[1].txt
C:\Documents and Settings\Todd\Cookies\todd@www.googleadservices[10].txt
C:\Documents and Settings\Todd\Cookies\todd@ads.nascar[2].txt
C:\Documents and Settings\Todd\Cookies\todd@www.burstnet[1].txt
C:\Documents and Settings\Todd\Cookies\todd@serving-sys[2].txt
C:\Documents and Settings\Todd\Cookies\todd@interclick[2].txt
C:\Documents and Settings\Todd\Cookies\todd@revenue[2].txt
C:\Documents and Settings\Todd\Cookies\todd@statse.webtrendslive[2].txt
C:\Documents and Settings\Todd\Cookies\todd@stat.onestat[2].txt
C:\Documents and Settings\Todd\Cookies\todd@tracking.keywordmax[1].txt
C:\Documents and Settings\Todd\Cookies\todd@server2.bkvtrack[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ads.pointroll[1].txt
C:\Documents and Settings\Todd\Cookies\todd@server2.bkvtrack[3].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Todd\Cookies\todd@statse.webtrendslive[1].txt
C:\Documents and Settings\Todd\Cookies\todd@msnportal.112.2o7[2].txt
C:\Documents and Settings\Todd\Cookies\todd@web4.realtracker[1].txt
C:\Documents and Settings\Todd\Cookies\todd@adecn[1].txt
C:\Documents and Settings\Todd\Cookies\todd@iacas.adbureau[2].txt
C:\Documents and Settings\Todd\Cookies\todd@www.hernandocounty[1].txt
C:\Documents and Settings\Todd\Cookies\todd@counter.hitslink[1].txt
C:\Documents and Settings\Todd\Cookies\todd@media.adrevolver[1].txt
C:\Documents and Settings\Todd\Cookies\todd@media.adrevolver[5].txt
C:\Documents and Settings\Todd\Cookies\todd@stat.dealtime[2].txt
C:\Documents and Settings\Todd\Cookies\todd@burstnet[1].txt
C:\Documents and Settings\Todd\Cookies\todd@media.adrevolver[2].txt
C:\Documents and Settings\Todd\Cookies\todd@media.adrevolver[3].txt
C:\Documents and Settings\Todd\Cookies\todd@mediaplex[1].txt
C:\Documents and Settings\Todd\Cookies\todd@ecnext.advertserve[1].txt
C:\Documents and Settings\Todd\Cookies\todd@eyewonder[1].txt
C:\Documents and Settings\Todd\Cookies\todd@imrworldwide[3].txt
C:\Documents and Settings\Todd\Cookies\todd@ads.cnn[2].txt
C:\Documents and Settings\Todd\Cookies\todd@enhance[1].txt
C:\Documents and Settings\Todd\Cookies\todd@bluestreak[1].txt
C:\Documents and Settings\Todd\Cookies\todd@partner2profit[1].txt
C:\Documents and Settings\Todd\Cookies\todd@advertising[2].txt
C:\Documents and Settings\Todd\Cookies\todd@advertising[1].txt
C:\Documents and Settings\Todd\Cookies\todd@apmebf[1].txt
C:\Documents and Settings\Todd\Cookies\todd@247realmedia[3].txt
C:\Documents and Settings\Todd\Cookies\todd@discounttire[2].txt
C:\Documents and Settings\Todd\Cookies\todd@adcache.bargaintraderonline[2].txt
C:\Documents and Settings\Todd\Cookies\todd@doubleclick[2].txt
C:\Documents and Settings\Todd\Cookies\todd@doubleclick[1].txt
C:\Documents and Settings\Todd\Cookies\todd@adopt.euroclick[1].txt
C:\Documents and Settings\Todd\Cookies\todd@atwola[2].txt
C:\Documents and Settings\Todd\Cookies\todd@collective-media[1].txt
C:\Documents and Settings\Todd\Cookies\todd@www.trackerboats[2].txt
C:\Documents and Settings\Todd\Cookies\todd@www.trackerboats[3].txt
C:\Documents and Settings\Todd\Cookies\todd@media.cardomain[1].txt
C:\Documents and Settings\Todd\Cookies\todd@samsclub.112.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@network.realmedia[1].txt
C:\Documents and Settings\Todd\Cookies\todd@ads.traderonline[2].txt
C:\Documents and Settings\Todd\Cookies\todd@server.iad.liveperson[4].txt
C:\Documents and Settings\Todd\Cookies\todd@server.iad.liveperson[3].txt
C:\Documents and Settings\Todd\Cookies\todd@server.iad.liveperson[2].txt
C:\Documents and Settings\Todd\Cookies\todd@server.iad.liveperson[1].txt
C:\Documents and Settings\Todd\Cookies\todd@server.iad.liveperson[5].txt
C:\Documents and Settings\Todd\Cookies\todd@statcounter[2].txt
C:\Documents and Settings\Todd\Cookies\todd@propertyfinderltd.122.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@fastclick[2].txt
C:\Documents and Settings\Todd\Cookies\todd@data.coremetrics[1].txt
C:\Documents and Settings\Todd\Cookies\todd@realmedia[2].txt
C:\Documents and Settings\Todd\Cookies\todd@realmedia[1].txt
C:\Documents and Settings\Todd\Cookies\todd@bizrate[1].txt
C:\Documents and Settings\Todd\Cookies\todd@server.iad.liveperson[6].txt
C:\Documents and Settings\Todd\Cookies\todd@www.suntrackerboats[1].txt
C:\Documents and Settings\Todd\Cookies\todd@pro-market[3].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-traderelectronicmedia.hitbox[2].txt
C:\Documents and Settings\Todd\Cookies\todd@247realmedia[1].txt
C:\Documents and Settings\Todd\Cookies\todd@feed.validclick[1].txt
C:\Documents and Settings\Todd\Cookies\todd@metacafe.122.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@trafficmp[1].txt
C:\Documents and Settings\Todd\Cookies\todd@trafficmp[2].txt
C:\Documents and Settings\Todd\Cookies\todd@indextools[2].txt
C:\Documents and Settings\Todd\Cookies\todd@bs.serving-sys[1].txt
C:\Documents and Settings\Todd\Cookies\todd@112.2o7[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ads.nascar[1].txt
C:\Documents and Settings\Todd\Cookies\todd@2o7[2].txt
C:\Documents and Settings\Todd\Cookies\todd@adopt.specificclick[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ads.cnn[1].txt
C:\Documents and Settings\Todd\Cookies\todd@anad.tacoda[1].txt
C:\Documents and Settings\Todd\Cookies\todd@atdmt[2].txt
C:\Documents and Settings\Todd\Cookies\todd@bonniercorp.122.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@bonniercorp.122.2o7[2].txt
C:\Documents and Settings\Todd\Cookies\todd@cgm.adbureau[2].txt
C:\Documents and Settings\Todd\Cookies\todd@crackle[1].txt
C:\Documents and Settings\Todd\Cookies\todd@dga.specificclick[1].txt
C:\Documents and Settings\Todd\Cookies\todd@dominionenterprises.112.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@dominionenterprises.112.2o7[2].txt
C:\Documents and Settings\Todd\Cookies\todd@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-bootbarn.hitbox[1].txt
C:\Documents and Settings\Todd\Cookies\todd@eb.adbureau[1].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-autozone.hitbox[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-groupernetworks.hitbox[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-traderpublishing.hitbox[3].txt
C:\Documents and Settings\Todd\Cookies\todd@ehg-triseptsoultions.hitbox[1].txt
C:\Documents and Settings\Todd\Cookies\todd@fdau.adbureau[1].txt
C:\Documents and Settings\Todd\Cookies\todd@ford.112.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@gmgmacfs.112.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@homestore.122.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@imrworldwide[2].txt
C:\Documents and Settings\Todd\Cookies\todd@kontera[1].txt
C:\Documents and Settings\Todd\Cookies\todd@linksynergy[2].txt
C:\Documents and Settings\Todd\Cookies\todd@msnportal.112.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@nextag[1].txt
C:\Documents and Settings\Todd\Cookies\todd@overture[2].txt
C:\Documents and Settings\Todd\Cookies\todd@pro-market[1].txt
C:\Documents and Settings\Todd\Cookies\todd@questionmarket[2].txt
C:\Documents and Settings\Todd\Cookies\todd@sales.liveperson[1].txt
C:\Documents and Settings\Todd\Cookies\todd@sales.liveperson[2].txt
C:\Documents and Settings\Todd\Cookies\todd@sales.liveperson[3].txt
C:\Documents and Settings\Todd\Cookies\todd@sales.liveperson[4].txt
C:\Documents and Settings\Todd\Cookies\todd@shopping.112.2o7[1].txt
C:\Documents and Settings\Todd\Cookies\todd@traffic.prod.cobaltgroup[1].txt
C:\Documents and Settings\Todd\Cookies\todd@trackerboats[1].txt
C:\Documents and Settings\Todd\Cookies\todd@unitedcountry[1].txt
C:\Documents and Settings\Todd\Cookies\todd@unitedcountry[3].txt
C:\Documents and Settings\Todd\Cookies\todd@valueclick[1].txt
C:\Documents and Settings\Todd\Cookies\todd@zedo[1].txt
C:\Documents and Settings\Todd\Cookies\todd@zedo[2].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@www5.addfreestats[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@www7.addfreestats[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@ads.adbrite[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@www.googleadservices[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@admarketplace[2].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@ads.cnn[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@atwola[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@cpvfeed[2].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@kanoodle[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@kmpads[2].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@nextag[2].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@partner2profit[2].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@pt.crossmediaservices[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@sales.liveperson[1].txt
C:\Documents and Settings\Todd\Local Settings\Temp\Cookies\todd@sales.liveperson[2].txt

Trojan.Dropper/Gen-Loader
C:\WINDOWS\444.471

Trojan.Dropper/Gen-PortSv
C:\WINDOWS\PORTSV.EXE

Edited by kambrilyn, 29 June 2008 - 10:25 AM.


#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 PM

Posted 29 June 2008 - 10:26 AM

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.


from my link to Quietman7's guide(we call them cans)
Chewy

No. Try not. Do... or do not. There is no try.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 PM

Posted 29 June 2008 - 10:29 AM

would you rerun MBAM and report on how the computer is running please

You have made good progress
Chewy

No. Try not. Do... or do not. There is no try.

#10 kambrilyn

kambrilyn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 29 June 2008 - 10:37 AM

I am running the scan now. It is running much better. I can get on the internet now. And I am not getting popups all the time now about spyware.

#11 kambrilyn

kambrilyn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 29 June 2008 - 10:41 AM

It said that nothing was found.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 PM

Posted 29 June 2008 - 10:49 AM

That's excellent, especially for a computer that couldn't get online and so few a posts as this thread

:thumbsup:

Just to be safe when you have the time would you run this online scan and let Kasp look for infections or infectors

http://www.kaspersky.com/virusscanner

there might be some further cleanup we need to do
Chewy

No. Try not. Do... or do not. There is no try.

#13 kambrilyn

kambrilyn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 29 June 2008 - 02:36 PM

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 29, 2008 16:47:22
Records in database: 897224
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 147747
Threat name: 10
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:16:07


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.32343 Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\Documents and Settings\Owner\My Documents\filelib\setupneoaudio.exe Infected: not-a-virus:AdWare.Win32.IPInsight.a 1
C:\Documents and Settings\Owner\My Documents\filelib\setupneoaudio.exe Infected: not-a-virus:AdWare.Win32.IGetNet.a 1
C:\Documents and Settings\Owner\My Documents\filelib\setupneoaudio.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bx 1
C:\Documents and Settings\Owner\My Documents\filelib\setupneoaudio.exe Infected: not-a-virus:AdWare.Win32.EZula.d 1
C:\Documents and Settings\Owner\My Documents\filelib\setupneoaudio.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.v 1
C:\Documents and Settings\Owner\My Documents\filelib\setupneoaudio.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.a 1
C:\Documents and Settings\Owner\My Documents\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Documents and Settings\Todd\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-21861927 Infected: Trojan-Downloader.Java.OpenStream.ab 1
C:\Documents and Settings\Todd\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-6509a8f1.zip Infected: Trojan-Downloader.Java.OpenStream.ab 1
C:\Program Files\Mirc\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1

The selected area was scanned.

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 PM

Posted 29 June 2008 - 03:57 PM

would you manually delete those bad files in the filelib folder

see if you can uninstall the Mirc program thru add/remove in control panel

Rerun atf cleaner and remove all for IE, firefox etc

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Chewy

No. Try not. Do... or do not. There is no try.

#15 kambrilyn

kambrilyn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 29 June 2008 - 05:44 PM

OK, Deleted the bad files. No, I cannot delete mIRC thru add/remove, or thru the uninstall in the program folder itself.
I ran the ATF cleaner. and here is the log

SmitFraudFix v2.328

Scan done at 18:45:16.34, Sun 06/29/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 65.32.5.111
DNS Server Search Order: 65.32.5.112

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BC9A4F20-15EF-442E-A5E1-BD9E3EE1D401}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BC9A4F20-15EF-442E-A5E1-BD9E3EE1D401}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BC9A4F20-15EF-442E-A5E1-BD9E3EE1D401}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.111 65.32.5.112
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.111 65.32.5.112
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.111 65.32.5.112


Scanning for wininet.dll infection


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users